除非在主机网络上，否则 Docker compose 容器无法访问 Internet - 仅限 ipv6 服务器

Question

I am using docker compose on a IPv6 only Debian 11 server. I am having trouble getting internet access from the containers. Communication between the containers works like a charm. However connecting to the ourside world does not. I can only ping to the outside world when I connect to the 'host' network (which I don't want to do for security reasons):

docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com

^This resolved the address and pings alright. With the default or the bridge network I get ping6: bad address 'google.com'

My main question: What is the problem / how do I troubleshoot this?

I tried (in various combinations):

• Compose files network_mode options
• Providing explicit DNS in /etc/docker/daemon.json
• Providing explicit DNS in the container definition for the compose file
• Enabled ipv6 + provide fixed-cidr-v6 in /etc/docker/daemon.json
• Checking the /etc/hosts and /etc/resolv.conf

{
  "ipv6": true,
  "fixed-cidr-v6": "fd00::/80",
  "dns": ["2a01:7c8:7000:195::8:195:8", "2a01:7c8:7000:195::135:195:135"]
}

Note: I did not install a firewall at first. During troubleshooting I installed uwf, which I did not configure and is currently disabled.

Hopefully this output will be helpful:

With --network=host

> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
127.0.0.1       my-network
::1             my-network

> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135

> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
PING google.com (2a00:1450:400e:810::200e): 56 data bytes
64 bytes from 2a00:1450:400e:810::200e: seq=0 ttl=118 time=3.365 ms
64 bytes from 2a00:1450:400e:810::200e: seq=1 ttl=118 time=2.848 ms

Without any network

> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2      e484aa610139
fd00::242:ac11:2        e484aa610139

> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135

> docker run -it --rm registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
ping6: bad address 'google.com'

Any help is greatly appreciated!

Answer 1

You either need to manually forward IPv6 traffic on your host to the specified docker network, or add:

{
  "ipv6": true,
  "fixed-cidr-v6": "fd00:ffff::/80",
  "ip6tables": true,
  "experimental": true
}

to your daemon.json which does this for you (like with IPv4).

Here is an Article going into more detail and explaining more alternatives (like the ipv6-nat docker image).

Be sure your cidr-v6 is part of the private Address range (fc00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), otherwise it could be publicly exposed and accessed without a NAT thus becoming insecure.

This is still experimental, and overall IPv6 on docker, especially docker-compose is not great